[cabfpub] Brazilian bank DNS heist

philliph at comodo.com philliph at comodo.com
Mon Apr 10 18:10:27 UTC 2017


> On Apr 6, 2017, at 3:44 PM, Richard Moore <rich at kde.org> wrote:
> 
> I'm including Ryan since he's said before he's willing to forward things to the CAB list. Comments inline.
> 
> On 6 April 2017 at 18:46, philliph--- via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> Some observations:
> 
> * Any solution is going to have to involve some form of forward acting statement ‘do this for the next X hours’.
> 
> 
> ​Yes​
> 
>  
> * We now have two mechanisms that are viable as publication infrastructures - DNS and CT
> 
> ​Since accessing the CT logs involves DNS, we have approximately one but two formats to represent the data.
> 
>  
> * The problems with pinning are real, very few companies can risk shutting themselves down for an extended period if they goof. The problem with pinning is that the time period really does need to be fairly long if it is to be any use. I do not visit my bank every day. I probably don’t visit for a month at times.
> 
> 
> ​While I agree about the risk of error I think your analysis is wrong. If a bunch of people all have the forward looking statement then any one of them visiting the site and triggering the error can inform the others. An example of this in practice is the use of certificate pinning for google properties which have successfully notified people other than the victim of an attack that an attack was taking place. Having a solution that offered protection to the majority would be an improvement when considering the case of an individual (who might not visit a site very often).
> 
> For this specific situation I t​hink expecting the endpoint to refresh their pinning information regularly would be entirely reasonable.

Well it really depends on what you want to do with the pinning information.

I agree that you can use a short time if all you are seeking to do is to detect a possible compromise. But if all you are going to do is notify someone of a possible issue, there is no problem with a longer time either.

The problem comes if the objective is to block if the site is not in conformance. Which is the objective as I understand it for most of the people pushing for pinning. And that is where I have seen pushback from the target market. For many banks, being knocked over and losing a few million to phishing gangs is actually a much lower concern than having their Website be unavailable for a week. So the key pinning idea really isn’t as attractive to them as it is to us.


Pulling together some of the other comments in this thread, I think the common feature is to somehow soften the consequence of screwing up the pinning without creating too much of a hole for the attackers. There is almost certainly a viable compromise there somewhere but what we have right now isn’t it.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170410/a24a16c7/attachment-0003.html>


More information about the Public mailing list